malwarewikiaorg-20200223-history
Poison Ivy
Poison Ivy '''or '''Poison is a virus on Microsoft Windows. It was created in the programming language Assembler. It has gone unchanged since 2008 with version 2.3.2. Poison Ivy’s wide availability and easy-to-use features make it a popular choice for all kinds of criminals. In 2011, it was used in the "Nitro" campaign that targeted government organizations, chemical manufacturers, human rights groups, and defense contractors. In 2012, attackers exploited a Java zero-day vulnerability to spread the malware and, in 2013, Poison Ivy was used to infect visitors of a US government website by exploiting an Internet Explorer zero-day vulnerability. Payload Poison Ivy allows attackers to customize and build their own PIVY server, which is delivered as mobile code to a target that has been compromised, typically using social engineering. Once the server executes on a target’s endpoint, it connects to a PIVY client installed on the attacker’s machine, giving the attacker control of the target system. The PIVY server code can executed on the target endpoint in a number of ways, depending on how the attacker configured it. In the most common configuration, the PIVY server divides its code into Initialization and maintenance code and Network code. The initialization and maintenance code is injected into the already-running explorer.exe process. Depending on how the attacker configures it, the networking code launches a hidden Web browser process (the system’s default browser) and injects itself into that process. The networking code then remotely downloads (from the attacker’s PIVY client as shellcode) the rest of the code and data it needs for its features and functionality. The new code executes on the target’s endpoint within the context of the target process. All of PIVY’s global variables, configuration details, and function pointers are stored in a C-style struct (data structure), which is also injected into the target processes in both the PIVY networking code and initialization and maintenance code. This distinct characteristic has the side effect of having every CALL instruction and global variable address being referenced as an offset to a register when looking at the code’s disassembly. The code injected into explorer.exe is peculiar in that, unlike most malware-injected code, this code is injected function by function— each with its own memory region, filling in the proper function pointers in its struct. If the “persistence” PIVY option is enabled, a watchdog thread is also injected into explorer.exe, which automatically restarts the PIVY server process if it is unexpectedly terminated by the target’s operating system. PIVY’s keylogging function, if enabled, is also injected into explorer.exe. Poison Ivy features a complex, custom network protocol over TCP. Most of this communication is encrypted using the Camellia cipher with a 256-bit key.14 The key is derived from a password provided by the attacker when building the PIVY server. The password, “admin” by default, can be provided in plain text or as hex-ASCII. The password is zero-padded to 32 bytes (256 bits). The key is validated at the beginning of the TCP session with a challenge-response algorithm. The PIVY server sends 256 bytes of randomly generated data to the PIVY client which, in turn, encrypts the data using the key and sends it back to the PIVY server for validation. Much of the data sent throughout PIVY’s communications is also compressed before encryption using Microsoft’s LZNT1 compression algorithm,15 which PIVY utilizes through the Windows RtlCompressBuffer API. The protocol operates by sending encrypted data in chunks that are prepended with the following encrypted 32-byte header: struct PI_chunk_header { int command_id; int stream_id; int padded_chunk_size; int chunk_size; int decompressed_chunk_size; long total_stream_size; int padding; }; It then opens a backdoor to allow the virus in. When in control, PoisonIvy can record or manipulate the computer or activate the webcam and speaker to record audio and video. It accesses several websites from which it downloads and runs files. The downloads can be any type of file, although they are normally malware. It also avoids being detected by the user by using different techniques, such as injecting itself into running processes so that no unusual processes are seen. It also captures certain information entered or saved by the user, with the corresponding threat to privacy: Keystrokes, in order to obtain information for accessing online banking services, passwords and other confidential information. Screenshots of actions carried out. It then sends the gathered information to a remote user by any available means: email, FTP, etc. It even reduces the security level of the computer, as it listens on open ports in order to control the computer remotely. References *[1 ] Category:Win32 Category:Win32 trojan Category:Trojan Category:Billion dollar damage Category:Virus Category:PUP Category:Trojan dropper Category:Win32 virus Category:Microsoft Windows